Re: Firewall - Limit Geographic Area
From: lrnobs (lrnobs_at_firstclasssolutions.net)
Date: 10/16/03
- Previous message: Kent Borg: "Re: Firewall - Limit Geographic Area"
- In reply to: Kent Borg: "Re: Firewall - Limit Geographic Area"
- Next in thread: Zoki: "Re: Firewall - Limit Geographic Area"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
To: <redhat-list@redhat.com> Date: Thu, 16 Oct 2003 16:48:22 -0500
Thanks, I appreciate your time.
Larry Nobs
----- Original Message -----
From: "Kent Borg" <kentborg-rhl@borg.org>
To: <redhat-list@redhat.com>
Sent: Thursday, October 16, 2003 4:35 PM
Subject: Re: Firewall - Limit Geographic Area
> On Thu, Oct 16, 2003 at 12:37:23PM -0500, lrnobs wrote:
> > Remember that I am a beginner at this and am trying to learn about
> > all the weapons that are available to protect my little site.
>
> Security. A lot of people have a lot of good advice about security,
> but much of it is unrealistic.
>
> Attempting to be reasonable, here is my current recipe for security:
>
> - Redhat's default install is quite secure (and at least a zillion
> times more secure than a Microsoft Windows machine can be).
>
> - Redhat's distribution is *only* secure if you keep up to date with
> their bug fixes. Redhat is conservative about what they release
> as a fix, so you want apply them all. And apply these fixes
> promptly! RHN makes it easy. (Consider buying one of their
> Enterprise products, they have much longer life span during which
> Redhat will supply updates.)
>
> - You do not have to understand everything that Redhat has done in
> their configuration (this is because they have done a decent job),
> but you *do* have to understand everything you do that deviates
> from Redhat's configuration, or you *will* introduce security
> holes. This means you can start out not being a know-it-all, and
> learn more as you get in deeper. (But you should learn enough
> right away to understand what I talk about here.)
>
> - Get another Linux computer, possibly a notebook, and use it as a
> safer place to learn, a place which won't disrupt your business.
> Keep it secure too.
>
> - Do not let the passwords for your server get in the hands of
> hardware you don't control. This means:
>
> - do not reuse passwords between your server and, say, random
> websites on the internet (it is OK to write passwords down if
> it makes it possible to not reuse passwords, just don't write
> down in a stupid place, such as putting your ATM pin on your
> ATM card);
>
> - use good passwords, this means make them long, which Linux
> allows, try to have their components be things you didn't
> choose (that way no one could guess what you would
> choose--people are very bad at being random), what I do is
> *randomly* choose three english language words, connect them
> with hyphens, and use that (if you would like I can supply
> more information on exactly how I do any why it is secure);
>
> - do not let your server passwords into hardware you don't
> control (not at Kinkos, not at airport Kiosks, not over
> unencrypted links such as telnet, unencrypted pop, etc.,
> instead login at your server or through your own laptop, use
> ssh, encrypted pop, etc.);
>
> - don't ssh into a computer you don't control and then ssh into
> your server, that is like typing on a Kinkos keyboard).
>
> - If you think you have been broken into, assume the compromised
> computer is out to get you and will report everything it can back
> to the Bad Guys. Get necessary pure data (not software!) backed
> up on floppy or CD, get evidence of what happened if you can, then
> rebuild from first principles. Reformat, use original media,
> apply all fixes, do fresh downloads of any extras you collected,
> etc.
>
> - Do not operate as root except when you have to. Fire up X as you,
> and type the extra password when you do any adminstration.
>
> - Be leery of fancy things being done for you as a user. Use the
> simpler e-mail program over the fancy one with all the bells and
> whistles. Turn off features that smack of things being done for
> you automatically, those features are more likely to be subverted.
> Worry about Javascript in your web browser, it has been associated
> with lots of bugs and security holes in the past, consider keeping
> it turned off except when you need it for a trusted site that
> requires it, then turn it off again. Decide whether you really
> need to install Flash or other web plugins. Open Office is a cool
> software suite, but it has a powerful macro feature, be worried
> about what documents you hand it--where did they come from?, one
> of these days there will be a macro virus or worm that uses that
> avenue, be cautious and you could well avoid that bug, I plan to.
>
> - Do not strip your server down so far that you can't readily use it
> anymore. To do that well you will need to know more than a newbie
> does, you will likely introduce more vulnerabilities than you
> remove.
>
> - Do not depend on a firewall for security. Firewalls are
> complicated to set up because they require a significant
> understanding of networking, and you could easily get it wrong.
> Make your system secure without a firewall. Only then add a
> firewall, and only as an *extra* protection.
>
> - As you learn more, consider ways you might make Redhat's
> installation more secure. For example, probably use Postfix
> (which was designed to be secure, and Redhat installs it for you)
> instead of sendmail (which is old and groady), maybe install and
> use Maradns (which was written to be secure) instead of bind
> (which is also groady).
>
> - Do not blindly trust anyone, stop and think. This includes not
> trusting any advice I give you--stop and think about what I say,
> check out my assertions of fact (such as whether Redhat's default
> install is reasonably secure, whether their updates are
> conservative, whether Postfix and Maradns have good security
> reputations, etc. www.google.com/linux is your friend).
>
> Warning: some will disagree with what I write here. Listen to them,
> see if what they say makes sense. Think.
>
>
>
> -kb, the Kent who is waiting for the fan to get dirty.
>
>
> P.S. Non-security advice: Keep a log of everything you do to your
> server. It will not only be useful as a reference, but it will slow
> you down in how you mangle your server by forcing you to take those
> notes.
>
>
> --
> redhat-list mailing list
> unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
> https://www.redhat.com/mailman/listinfo/redhat-list
>
>
-- redhat-list mailing list unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list
- Previous message: Kent Borg: "Re: Firewall - Limit Geographic Area"
- In reply to: Kent Borg: "Re: Firewall - Limit Geographic Area"
- Next in thread: Zoki: "Re: Firewall - Limit Geographic Area"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
